Overall, a division of labour appears to have crystallised: pure GDPR cases are primarily brought before DPAs and only appealed before ordinary or administrative courts, while labour courts generally engage with data protec­tion indirectly, as a complementary framework. This dif­ferentiation is not inherently problematic, as it reflects the respective competencies of the two fora. DPAs pos­sess specialised expertise and investigative and sanc­tioning powers, while labour courts provide a contextu­alised understanding of working relationships. The chal­lenge lies in ensuring coordination, consistency and mutual reinforcement between these parallel enforce­ment tracks. From this perspective, the Digital Omnibus Act proposed by the European Commission risks undermining one of the few successful points of interaction between the GDPR and labour law. Indeed, in amending Article 12, the proposal ap ­pears to restrict data subjects’ access requests, by allowing controllers to charge a fee or refuse requests because a data subject“exploits the rights conferred by the GDPR for purposes other than data protection”. This is difficult to justify, as the right of access is a self-standing right whose exercise cannot depend on the individual’s underlying pur­pose, 21 and such an amendment may also potentially con­flict with Article 8(2) of Charter of Fundamental Rights of the EU(noyb 2025b). From our perspective, such a restric ­tion would also be counterproductive. Several national re­ports show that the right of access is one of the few GDPR rights having achieved a good level of enforcement in the workplace, and that workers have used it as an innovative de facto discovery tool. This has strengthened enforcement not only in relation to data protection violations, but also – and especially – in disputes before labour courts regarding the enforcement of pure labour rights, generating a posi­tive dynamic in the broader protection of workers’ rights. One example is the first Italian case in which a platform worker was judicially recognised as an employee: 22 the worker had exercised the right of access to obtain informa­tion that was later used as evidence in court, an especially effective strategy in cases where there is no formal discov­ery mechanism and the burden of proof lies with the claim­ant(Gaudio 2022). A revision of Article 12 along the lines proposed in the Digital Omnibus Act would likely prejudice this type of legitimate and socially valuable use of the right of access, through which workers file access requests that may reveal other labour law violations. For instance, in a dispute over unpaid hours, an employee may request ac­cess to digital records of working time or shift allocations (noyb 2025b). It would also be difficult to justify, given that this is one of the few areas where GDPR enforcement in the workplace has proved both meaningful and effective. Workers’ representatives and collective enforce­ment: the untapped potential of the GDPR In principle, workers’ representatives are better positioned than individual workers to enforce data protection rights. They possess collective legitimacy, as well as better techni­cal expertise and organisational resources(Agosti et al. 2023; Gaudio 2024). Yet in practice, national reports gener ­ally show that their role remains marginal and largely un­derutilised. Across Member States, collective enforcement of data protection rights in the workplace remains the ex­ception rather than the rule. The main structural obstacle lies in the GDPR’s individu­al-rights model, which recognises only data subjects, not collective entities. While national labour laws often grant standing to representatives to defend their own rights, ex­tending this capacity to the enforcement of workers’ data rights requires explicit legal authorisation. Article 80 GDPR may have bridged this gap, offering two mechanisms for representative litigation(Federico 2023). Under Article 80(1), a data subject may mandate a repre ­sentative entity to lodge a complaint on his or her behalf. Under Article 80(2), Member States may empower such en ­tities to lodge complaints independently, without a man­date. While the first mechanism is directly applicable, the second – far more powerful, as it is intended to enable pri ­vate organisations to bring complaints directly in response to GDPR infringements – requires national implementation, though this need not necessarily take the form of a specific provision where domestic law already grants legal entities direct standing in representative actions. 23 This research confirms previous findings that implementa­tion of Article 80 is at best uneven(Pato 2019) and further highlights that it has had minimal practical impact in the employment context – an unsurprising finding for those fa ­miliar with the field. The first reason is that it is not entirely clear whether work­ers’ representatives fall within the scope of representative entities. It should be noted that this provision guarantees legal standing to any“not-for-profit body, organisation or association which has been properly constituted in accord­ance with the law of a Member State, has statutory objec­tives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data”. The CJEU has so far interpreted this provision quite broadly 24 and, on the basis of this case law, it may be argued that Member States cannot restrict it in a way that would ex­clude workers’ representatives as such from qualifying as 21 CJEU Case C-579/21 Pankki 22 June 2023 ECLI:EU:C:2023:501, para 88; CJEU Case C-307/22 FT 26 October 2023 ECLI:EU:C:2023:811, paras 29-52. 22  Trib. Palermo 20 November 2020, no. 3570. 23 CJEU Case C-319/20 Meta 28 April 2022 ECLI:EU:C:2022:322; CJEU Case C-757/22 Meta Platforms Ireland 11 July 2024 ECLI:EU:C:2024:598. 24  CJEU Case C-319/20 Meta 28 April 2022 ECLI:EU:C:2022:322, paras 60-66. Empirical findings 13